The lack of this has been a perennial thorn for people behind corporate TLS MITM ALG proxies; when it's soluble, it's still annoying, and sometimes the proxy applications don't use a stable root bundle, rendering the situation kinda insoluble.

Pip added truststore support back in version 22.2, but Twine still seems to require users to rustle up CA bundles themselves, which can be difficult and is actually infeasible with certain proxy software (e.g. ZScaler) that rotates the roots regularly and distributes new bundles into the system trust stores via a system-level mechanism like Active Directory.

The current draft of the code only applies truststore during CLI dispatch, to avoid interfering with Twine's use as a library, per truststore documentation:

inject_into_ssl() must not be used by libraries or packages as it will cause issues on import time when integrated with other libraries. Libraries and packages should instead use truststore.SSLContext directly which is detailed below. The inject_into_ssl() function is intended only for use in applications and scripts.